Home > News > Google OAuth Malware: Account Hijack! 馃毃馃敀

Google OAuth Malware: Account Hijack! 馃毃馃敀

dall路e 2024 02 16 13.36.49 design a feature image for the article titled malware exploits google oauth to hijack accounts reviving cookies. visualize a digital scene where go

CloudSEK Researchers Analyzed a Zero-Day Exploit that Can Allow the Generation of Persistent Google Cookies through Token Manipulation

In October 2023, a zero-day exploit was discovered that allows the generation of persistent Google cookies through token manipulation. This exploit was first uncovered by a developer known as PRISMA. An attacker can use the exploit to access Google services, even after a user's password reset. Researchers from Hudson Rock were among the first to warn of threat actors exploiting the zero-day exploit.

CloudSEK researchers performed a reverse engineering of the exploit and discovered it relies on an undocumented Google OAuth endpoint named ‘MultiLogin'. The MultiLogin endpoint is an internal mechanism that allows the synchronization of Google accounts across services. This endpoint receives a vector containing account IDs and auth-login tokens for efficiently handling concurrent sessions or seamlessly transitioning between user profiles.

The Lumma Infostealer was spotted using the exploit on November 14. Subsequently, other malware integrated the exploit, including Rhadamanthys, Risepro, Meduza, Stealc Stealer, and recently the White Snake. The researchers discovered that the malware targets Chrome's token_service table of WebData to extract tokens and account IDs of chrome profiles logged in.

According to the report published by CloudSEK, this table contains two crucial columns: service (GAIA ID) and encrypted_token. The encrypted tokens are decrypted using an encryption key stored in Chrome's Local State within the UserData directory, similar to the encryption used for storing passwords. The Lumma malware continuously regenerates cookies for Google services by manipulating the token ID pair. The experts pointed out that the exploit works even after users have reset their passwords.

The persistence in access allows for prolonged and potentially unnoticed exploitation of user accounts and data. CloudSEK researchers warn that compromised accounts can lead to stolen sessions, phishing, and other cyber threats.

The researchers discovered that the exploit's imperfect testing led to revealing its source. Analysis of the user-agent string found in the source code suggests that a penetration test on Google Drive's services on Apple devices was a potential origin for the exploit.

At this time, Google has yet to confirm that threat actors are using the zero-day exploit in the MultiLogin endpoint. However, the threat research team at CloudSEK recommends that organizations take necessary mitigation efforts to protect user profiles and limit the impact of evolving cyber threats. They also suggest that abuse detection measures should be implemented to identify and prevent unauthorized access to session cookies.

Frequently Asked Questions

How can malware exploit OAuth endpoints to compromise session security?

Malware can exploit undocumented OAuth endpoints to regenerate Google service cookies, bypassing IP or password reset restrictions. This allows the attacker to hijack the user's session and gain access to their Google account. The malware can also use the stolen session tokens to gain access to other services that rely on the compromised Google account.

What measures has Google implemented to address the recent cookie vulnerability?

Google has not yet released an official statement regarding the recent cookie vulnerability. However, it is recommended that users enable two-factor authentication and regularly monitor their account activity for any suspicious behavior.

What are the risks associated with session tokens being stolen by malware?

If session tokens are stolen by malware, the attacker can gain access to the user's Google account and any other services that rely on the compromised account. This can result in sensitive information being exposed, such as personal emails, documents, and financial information. The attacker can also use the compromised account to send spam or phishing emails to the user's contacts.

How can users protect themselves from session hijacking through OAuth vulnerabilities?

Users can protect themselves from session hijacking through OAuth vulnerabilities by enabling two-factor authentication, regularly monitoring their account activity, and being cautious when granting access to third-party apps. Users should also ensure that they are only granting access to trusted apps and revoke access from any unused apps.

What steps should be taken if one suspects their Google session has been compromised?

If a user suspects that their Google session has been compromised, they should immediately change their password, enable two-factor authentication, and revoke access to any unused apps. The user should also monitor their account activity for any suspicious behavior and report any unauthorized access to Google.

Can two-factor authentication prevent exploitation of the documented OAuth issue?

Two-factor authentication can help prevent exploitation of the documented OAuth issue by adding an extra layer of security to the user's account. However, it is not a foolproof solution and users should still be cautious when granting access to third-party apps and regularly monitor their account activity.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.